Is ransomware considered a health data breach under HIPAA?

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon

With a total number of 112 million data breaches of healthcare records spanning more than 250 separate incidents last year, it’s safe to say that information security is on people's minds. The deluge of breaches has raised an important question about a particular kind of incident: does ransomware constitute as a data breach under HIPAA?

Dan Munro, author at  Forbes, and Jack Danahy, author at  HealthIT Security, recently a look at what qualifies a ransomware attack as a data breach under HIPAA.

“Ransomware does represent a new legal ambiguity to the federal legislation known as HIPAA, which was designed to protect patients against the loss, theft or breach of their protected health information (PHI),”  according to Monro. “In some ransomware cases–-depending on the actual type of ransomware–-PHI is never accessed, so there is technically no breach of PHI data.”

Regulators may not yet have a grasp of how serious a threat ransomware poses. With each attack, hackers are able to crash hospital systems and force them to return to the slow and outdated process of paper. Monro suggested that a ransomware attack should not be considered to have violated the PHI disclosure restrictions in HIPAA because the PHI is never accessed and the lack of security in the healthcare system makes it all the easier for hackers.

Danahy had a different way of seeing the potential of ransomware attacks and believes they do indeed qualify as a breach under HIPAA. “Over 100 of the disclosed breaches, representing hundreds of thousands of records, were reported because a system that contained PHI came under the control of a criminal,”  wrote Danahy. “There is no need to verify that the information stolen in this manner is ever accessed or used; the existence of this important information in the hands of a criminal is enough of a threat that it must be reported.”

He argues that even if PHI is sometimes never accessed, just the fact that it came under the control of a criminal is cause enough for it to be considered a breach by HIPAA. Danahy defines ransomware as the system being accessed, along with the PHI they contain, by someone who is not the healthcare provider and HIPAA must disclose the breach as a result of the loss of security.

While both parties argue on what constitutes ransomware as a breach under HIPAA guidelines they can agree that the healthcare industry must find a way to avoid these attacks. Advising to collect data on spending and costs of the attacks to justify investments in prevention to the enormous risk that ransomware poses.